Skillv1.0.0

ClawScan security

OEE AI Cost Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 14, 2026, 2:55 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and resource requirements are consistent with its stated purpose (local logging, reporting, and routing suggestions) and do not request credentials or network access.
Guidance: This skill is coherent and local-only, but review the following before installing: (1) It creates/updates usage.jsonl in the skill directory — ensure that file location is acceptable and not a shared/remote mount. Logged fields include description and taskType you pass; avoid logging full prompts or secrets. (2) pricing.json is static — verify prices are accurate for your providers and update as needed. (3) The cost estimates are local heuristics (not authoritative billing data) and unknown/unsupported model names return a $0 estimate. (4) There are minor robustness issues (e.g., a possible division-by-zero when all recorded costs are zero) — harmless but may raise errors on edge cases. If you accept local logging of usage and the minimal file writes, this skill is reasonable to use. If you need centralized or auditable billing, prefer vendor billing APIs rather than local estimates.

Purpose & Capability: okName/description (track API usage, report spend, suggest cheaper models) match the provided files: tracker.py logs entries to a local JSONL file, report.py reads that file and pricing.json to produce reports and suggestions. No unrelated binaries, env vars, or external services are requested.
Instruction Scope: okSKILL.md instructs importing log_usage and running report.py, which is exactly what the code implements. The runtime instructions only read/write local files in the skill directory (pricing.json and usage.jsonl). There are no directives to read other system files, environment variables, or send data to external endpoints.
Install Mechanism: okNo install spec; this is an instruction-only skill with small Python scripts that rely on the stdlib. No downloads, packages, or extraction steps are present.
Credentials: okNo environment variables, credentials, or config paths are required. The skill stores logs in a local usage.jsonl file and uses a local pricing.json; both are reasonable and proportionate for the stated purpose.
Persistence & Privilege: okalways is false and the skill does not request elevated or persistent platform privileges. It only creates/updates a usage.jsonl file alongside the code (normal for a local logger).